A Botnet Under an Anti-virus Vendor Control?!! Microsoft Claims…

A long time ago when the only famous anti-virus vendors were Norton and McAfee and maybe a few others, there were not as many viruses in the cyber world as there are now. People felt much safer on the internet and that was why so many avoided using anti-virus software. People avoided using anti-virus also because their PCs were not capable of running it and they simply crashed especially when the PC was under a heavy load.

Now I remember a rumor which was spreading among people during that time. The rumor was talking about the possibility that an anti-virus software could infect computer systems with a virus. Honestly speaking, right now when I am writing this I don’t really remember what people thought the possible reasons would be for a software company to do such thing but sometimes rumors come out of nowhere, you know.

I was thinking of all these old stories today and also surfing on the net that something came to my attention. Microsoft claims the botnet Kingpin is somehow related to an anti-virus vendor. As it seems they have tracked down the botnet and they got to a Russian guy called Andrey N. Sabelnikov who worked previously in an anti-virus vendor company. The botnet he had designed was pretty advanced and did everything from sending spam to stealing financial information and so many other things that many botnets would usually do.

It seems like working for an anti-virus company has given him enough clues on how to infect a lot of computers and eventually create a botnet under his control. But the question is that could this guy be by any means still connected to his previous (Of course not really) company and could this be a mission being done for the company? But again there is another question which is why does such a company needs to have a botnet under control?

Could a company be behind stealing so much financial information? Is it really worth doing such a risky thing? If yes, had they predicted that their guy in charge could be caught? Would they do it solely for the direct illegal financial outcome or they did it for the indirect financial outcome coming from the sales of their anti-virus software?

These are things that made my mind really busy today and I was thinking with myself those rumors in the past are becoming reality now and it seems like having a botnet under control has become really worthwhile in terms of financial outcome. If this story is true which seems to be, how sure could we be about the safety of our systems and information?!!

What are Honeypots ?!!

Today I would like to speak to you all about honeypots. The purpose of this article is to provide you with a detailed analysis of what honeypots are, what are some of their characteristics, and what are the different types of honeypots, the pros and cons of honeypots, the actual mechanics of how honeypots work, and who uses them. The methods of how can they prevent attacks, and of course their value as a technology form common users use to corporate value.

The word .honeypot. originated from an espionage technique used during the Cold War, with it origins based on sexual entrapment. The term “honeypot” was used to describe the use of female agent sexual entrapment of a male official of the other side for the purpose to gain information. For example, handling over top secret information for his eyes only type stuff, not knowing her true intension as informative spy to hand over our troop movements by: land, air, sea; supply line, to the future plans deployment of invasion or evacuation of troops. Not know the agents true intension, that movie Hostel. So now is the computer term of what is a honeypot. A honeypot is a decoy resource that pretends to be a real target setting up a trap expecting to be attacked or compromised. The main goals are as a distraction of an attacker and the gain of information about the attacker, his methods of attack, and his tools. Pretty much a honeypot attracts attacks to them because of their act of being a weakened system and as an entrance to their target, .it like the fire leading a moth to the flame..

I feel honeypot are an effective countermeasure in the attempts at preventing unauthorized use of critical information systems on the network. Here the basis characteristic to honeypots one they are highly flexible systems, two their able to detect attackers movements and behaviors, and three the capture of the latest spreads of on-line vulnerabilities to the networks for administration team analyze and fix for a stronger network. Where are Honeypots being used for and by whom? Honeypots are being used at Government building, big businesses, other Non-Profit Organizations, and Schools like here at ECU. As you will read and be explained the Government, big businesses, and other Non-Profit Organization will use the honeypot technology for production purposes as support from attacks attempt to invade secure system and bring them down. Instead the attacker will attack the decoy honeypot and serve it purpose. As for the Schools they would use the honeypot technology for research purposes for study to teach future security major the weakness of different attacks gained for the honeypots and as a method of developing new tools for future defense to add to network.

Continue reading

A Step by Step Guide on How to Set Up Teredo Tunneling…

What is Teredo? A Microsoft-supported tunnel that is established directly from your client machine. Teredo was meant to be used only by applications that specifically request it. For this reason, a host that has Teredo enabled would only ever use Teredo to connect to IPv6-only machines. If IPv4 is an option, it will always prefer that. So, why talk about it first? Because it ships with both Windows XP SP2 and Windows Vista/7 – enabled by default in the latter two, though not enabled for “general application use” by default – and we can expect it to be used to get to IPv6-only content, as tunnel brokers, on the outside, may seem like more work to set up. And indeed, with the release of an ipv6 capable uTorrent and HE’s provisioning of Teredo relay servers, Teredo traffic has spiked sharply.

Setting up Teredo

And here’s the step by step guide on how to set up Teredo. Again, keep in mind, IPv4 will always be preferred. go6.net will show you with an IPv4 address if all you have is Teredo.

Windows XP SP2

  • Realize that Teredo in Windows XP does not support Hide NAT, aka PAT, aka many-to-1 NAT, aka what your home router does. In Teredo language, that kind of NAT is called “Symmetric NAT”, and it’s just not supported by the Teredo implementation in XP. You can still experiment some by either sticking a host onto the Internet directly, without a home router in between. If you have an additional public IP address, you could also set up a Static NAT (aka 1-to-1 NAT), which Teredo calls a “Cone NAT” (if you allow all incoming) or “Restricted Cone NAT” (if you disallow incoming connections), and which is supported. My experiments with my router’s “DMZ” setting, to see whether that will get around the issue, have been less than successful. While Teredo claimed I was behind “cone” NAT, I still had no connectivity.
  • Add the IPv6 protocol to your interface. Control Panel | Network Connections -> Right-Click “Properties” on your LAN or WiFi connection, “Install…”, “Protocol”, “Add…”, choose “Microsoft TCP/IP version 6″, hit “OK” until you’re out again.
  • Open a command line – “cmd” from Start | Run – and run “ipconfig /all”. You should now see a “link local” IPv6 address, which looks something like “fe80::214:85ff:fe2f:8f06%4″. This won’t be useful for connecting to anything “out there”, but it’ll let you know IPv6 is up and running.
  • Configure Teredo. Assuming you are in the US, the command would be “netsh interface ipv6 set teredo client teredo.ipv6.microsoft.com”. If you are elsewhere in the world, you may be able to find a closer Teredo server.
  • If you are on a Windows domain – as opposed to a home workgroup – Teredo will disable even if you configure it. You can get around that with the command “netsh interface ipv6 set teredo enterpriseclient”
  • The command to see the configured Teredo parameters is “netsh int ipv6 show teredo”, and the message indicating that a user is behind PAT and thus Teredo won’t work here is “Error : client behind symmetric NAT”
  • Use an IPv6-only host to test connectivity. If you can connect tohttp://ipv6.google.com/, it’s working.  Or you could “ping ipv6.google.com” from command line, which should show you an IPv6 address, and succeed.
  • A useful command to use while trying different configurations is “netsh int ipv6 renew”, which will re-negotiate the Teredo tunnel. “netsh int ipv6 show route” will show you ipv6 routes.
  • Keep in mind that Windows XP will always prefer IPv4 over IPv6 when Teredo is used for IPv6 connectivity. Unless a host has no IPv4 address, its IPv6 address will not be used.
  • Lastly, there are reports that Firefox 2 on Windows XP does not handle IPv6 well. Try Firefox 3, or Internet Explorer.

Windows Vista

  • IPv6 and Teredo both are enabled by default in Windows Vista. Teredo also supports Hide-NAT aka PAT aka what your home router does. Woo, we’re done? Not so fast, young Arakin: In order to avoid IPv6 connectivity issues caused by default Teredo tunnels, Microsoft have configured DNS so that the system will never resolve any name to an IPv6 address, as long as the system only has link-local and Teredo IPv6 addresses. Teredo is meant to be used by applications that specifically request its use, and that does not include any browsers.
  • Thus, we need to hoodwink Vista. If the criteria is “has only link-local or Teredo addresses”, why, then we need to supply another address. Luckly, IPv6 maps the entire ipv4 address space, so we can use that. In reality, it doesn’t matter which address we configure, since it won’t ever be used anyway. Open up the Properties of your LAN or WiFi interface, and change it to have a static IPv6 address. Use either the converted IPv4 address you figured out using the link I gave, or use the 192.168.1.2 equivalent of 2002:c0a8:102:: with a netmask of 48. Do not configure a default gateway for this address.
  • Vista would now resolve names to IPv6 addresses, but we need to force it to route traffic through our Teredo interface first. For this, you’ll need to run a Command prompt as “Administrator”. Create a shortcut to a Command prompt on your desktop, then right-click “run as administrator”.
  • Figure out the ID of your “Teredo Tunneling Pseudo-Interface” using “route print” and looking at the “Interface List” at the top of its output. In my case, it is “14″. Then, using this ID, add a default route that forces all IPv6 traffic through Teredo: netsh interface ipv6 add route ::/0 interface=14
  • Use an IPv6-only host to test connectivity. If you can connect to http://ipv6.google.com/, it’s working.  Or you could “ping ipv6.google.com” from command line, which should show you an IPv6 address, and succeed.
  • Keep in mind that Windows Vista will always prefer IPv4 over IPv6 when Teredo is used for IPv6 connectivity. Unless a host has no IPv4 address, its IPv6 address will not be used.

[Edit 2010-02-24 – added Windows 7 and Troubleshooting sections]

Windows 7 [this is the same procedure as for Vista, tested on Win7 x64]

[Edit 2010-04-09 – replaced kludgy workaround for disappearing default route with elegant workaround received through comment]

  • IPv6 and Teredo both are enabled by default in Windows 7, just as in Vista. Also as in Vista, Microsoft have configured DNS so that the system will never resolve any name to an IPv6 address, as long asthe system only has link-local and Teredo IPv6 addresses.
  • Thus, we need to hoodwink Win7. As with Vista, we will provide a 6to4 address. Luckly, IPv6 maps the entire ipv4 address space, so we can use that. In reality, it doesn’t matter which address we configure, since it won’t ever be used anyway. Open up the Properties of your LAN or WiFi interface, and change it to have a static IPv6 address. Use either the converted IPv4 address you figured out using the link I gave, or use the 192.168.1.2 equivalent of 2002:c0a8:102:: with a netmask of 48. Do not configure a default gateway for this address.
  • In order for Win7 to resolve names to IPv6 addresses, we need to force it to route traffic through our Teredo interface first. For this, you’ll need to run a Command prompt as “Administrator”. Create a shortcut to a Command prompt on your desktop, then right-click “run as administrator”.
  • Figure out the ID of your “Teredo Tunneling Pseudo-Interface” using “route print” and looking at the “Interface List” at the top of its output. In my case, it is “14″. Then, using this ID, add a default route that forces all IPv6 traffic through Teredo: netsh interface ipv6 add route ::/0 interface=14
  • Use an IPv6-only host to test connectivity. Try to ping ipv6.google.com or connect to http://ipv6.google.com/.
  • Keep in mind that Win7 will always prefer IPv4 over IPv6 when Teredo is used for IPv6 connectivity. Unless a host has no IPv4 address, its IPv6 address will not be used.

Continue reading

A Complete Guide on Active Directory Certificate Services in Windows Server 2008 R2

Windows Server 2008 R2 includes a built-in Certificate Authority (CA) technology that is known as Active Directory Certificate Services (AD CS). The first iteration of AD CS emerged with Windows Server 2008, though previous versions of the technology were simply known as Certificate Services. AD CS can be used to create certificates and subsequently manage them; it is responsible for ensuring their validity. AD CS is often used in Windows Server 2008 R2 if there is no particular need to have a third-party verify an organization’s certificates. It is common practice to set up a standalone CA for network encryption that requires certificates only for internal parties. Third-party certificate authorities such as VeriSign are also extensively used but require an investment in individual certificates.
Note

Although the term Active Directory has been incorporated into the name of the Windows Certificate Services function, it should be understood that AD CS does not necessarily require integration with an existing Active Directory Domain Services (AD DS) forest environment. Although this is commonly the case, it is important to understand that AD CS has independence over AD DS forest design.
Windows Server 2008 R2 introduced a few additions to AD CS features, including the following:

Certificate Enrollment Web Service and Certificate Enrollment Policy Web Service— This is the most significant improvement, essentially allowing certificates to be enrolled directly over HTTP, enabling non-domain or Internet-connected clients to connect and request certificates from a CA server.

Improved support for high-volume CAs used for NAP— AD CS in Windows Server 2008 R2 improves the database performance when high-volume scenarios such as NAP are utilized.

Support for cross-forest certificate enrollment— AD CS in Windows Server 2008 R2 allows for CA consolidation across multiple forests.

Continue reading

System Center Endpoint Protection 2012

Hi all and happy late new year…

Today I want to introduce a new software by Microsoft called System Center Endpoint Protection 2012 which is going to be released soon. This is a really good software helping you centralize the endpoint security in your environment. It will be used in conjunction with System Center Configuration Manager to bring a lot of exciting new security features. As far as the information about the product says, there are going to be endpoint clients distributed out to clients through which clients could be connected to and therefore managed by the central management console which is installed on a server.

One of the interesting features is that if there are already anti-virus applications installed on the client computers, the endpoint client applications will automatically remove all those third-party anti-virus or anti-spyware softwares and will install itself instead. SCEP 2012 will also provide support for non-Microsoft clients. All in all, SCEP 2012 will allow you to combine the two concepts of security management and client management. Usually one of them is missing in almost all the solutions we see in the market and Microsoft believes with SCEP 2012 they can bring both security and client management in the same window for the admins.

There has not been so much information about it yet but there is a great interview video you can watch here which is all about SCEP 2012.

You can also download the Release Candidate from this link.

Best Wishes

Identity Theft and its Huge Cost

Identity theft is a big threat for every one in the cyber world and each identity stolen is worth almost 5000$ for a criminal which is a pretty big number. But the question is how people are taking care of their identity?

As far as my memory helps me, when it comes to security, people only think of installing anti-viruses on their machines to protect them against any possible threats on the internet and they are fully unaware of the fact that there are tens of different ways that could put their identity at risk. The infographic below by Zonealarm shows different identity theft techniques and the valuable outcome for the thieves and of course the steps that need to be taken to hopefully get your ID back:

Windows 8 Picture Password

One of the new features of Windows 8 is the ability of the user to create a picture password which is quite interesting in its kind. Never before had we seen such functionality in an operating system and Microsoft seems to be very keen in improving the consumer security with such new features in its new operating system coming soon to the market.

Picture password allows you to use a picture instead of text to log in but how? It’s pretty easy and you just need to choose a picture from your computer for your user and then specify which parts of the picture would you like to tap and how many times, before the Windows will allow you to log in.

So every time you want to log in, you will see that picture asking you to tap for example three times on it so that you can log in provided that you have tapped the right places on the picture. Of course tapping is not only restricted to tapping your fingers simply on the screen surface but it will also allow you to draw shapes like lines, circles and etc. on the screen with every tap.

This is a great improvement in Windows and I quite loved the idea. This will make it way more difficult for malicious users to break in by cracking the password. The level of the difficulty in this type of password of course to a large extent depends on the number of taps on the picture and the gestures you have drawn and also some other factors.

Here is a great link through which you can get more information about this new feature.

How people look at your profile page ?!!

I don’t want to talk so much as the picture I have posted below talks enough about itself… This is how people look at your Facebook profile page. This information is based on a study conducted by eyetrackshop.com and it pretty much shows how people unwantedly care about your personal information.

If you want to see the result of the study on the profile pages of the other social networking websites, you can go to this link.

Cheers

Let’s assume the worst !!!

I was reading an interview with Andy Dancer, the CTO of EMEA, Trend Micro and I really liked the point he had mentioned in his words that I thought why not would I share them with you…

What he was talking about actually was that the old approach of having a perimeter network as the security frontier doesn’t work anymore and we need to think about securing every host rather than looking at security in an enterprise as a whole. Nowadays the staff of a company tend to use their devices everywhere and even at work which is one easy way of letting intruders come in. Hackers do not have to come through the firewall anymore when they have such easy ways of accessing the network. One thing Dancer had suggested was encryption on every possible device, whether a PC or a server or a tablet and smartphone. Encryption plays a very important role in making sure the data is secure when the device is detached from the network. Microsoft Bitlocker could be a really good choice since it provides offline encryption as well.

Let’s just assume the worst by asking ourselves what if for instance this smartphone were compromised, what would be the risks the whole enterprise is going to be at? Is it that serious? What kind of data is it storing and if that data were revealed, would the company sustain losses and if yes, then to what extent?

Never think of patches as the only way to secure an end device. Patches for Microsoft platforms and softwares are released every Tuesday but they need to be tested and then applied on the server and it naturally takes a long time; then does it mean we need to let the host be in danger? Host-based IPS systems  are the suggested solution for this type of risk.  At least you can make sure that a lot of these kinds of attacks can be mitigated. I already have another article on my blog about mitigating 0-day exploits using Microsoft Enhanced Mitigation Experience Toolkit and it can be accessed from here.

 

Cheers

5nine Anti-Virus and Virtual Firewall for Hyper-V

When it comes to cloud security, as I have mentioned before many times in my blog posts and presentations, it is not always the physical servers that need to be protected against the outside attacks but attacks from the inside have also become very critical. With all those different layers of security such as firewalls, IDS and IPS systems protecting the environment from those outside attacks, attackers are now thinking of attacking from the inside by only having a minimum needed access to some resources inside the cloud infrastructure.

This minimum access is usually and most of the time access to a virtual machine whereby the attacker can settle down and try to escalate his/her privilege. In order to secure the access between the virtual machines and to stop the hackers from accessing resources inside a VM from another VM, we need to make use of a firewall system to control the flow of traffic between the VMs. Before I go on with introducing a solution for that, it needs to be mentioned that there are already two ways to stop this kind of attack. The first thing is that there is a number of different filters built inside the Hypervisor in Microsoft Hyper-V and since the Hypervisor mediates access between the VMs, most of the attacks will be prevented. The other thing that is put inside Hyper-V is the use of VLANs and of course this is up to the designer to choose how he/she would make use of them to filter the traffic between different VMs throught the use of VLANs and virtual switches in Hyper-V.

But the one which this article is going to be about is 5nine Security Manager software which is an ant-virus and virtual firewall that helps us to be immune against this kind of attack. It provides a lot of different features:

  • Controls Network Traffic – Using simple PowerShell API/scripts or the management application, we can control the flow of the traffic between the VMs and also between the VMs and the external network.
  • Security Heartbeat Service – It’s a special kind of service that checks whether the rules are being enforced and if it feels like a VM for instance is compromised, it will stop the VM.
  • Anti-Virus and Anti-Malware protection – This type of scan is well-managed that never lets any type of performance degradation occur.
  • Bandwidth Throttling – It also includes a VM bandwidth shaper.
  • Stateful Packet Inspection.
  • Deployment options – 5nine Virtual Firewall can be used with Microsoft System Center Virtual Machine Manager to be deployed on the physical machine before any of the VMs are placed on the physical machine.
  • Compliance Audits – It makes the admin able to monitor and audit the network traffic flowing between the VMs any time.

In this post I tried to have an overview on this really good software and soon I will try to have a deeper dive into it.

For the time being, here is the website to have a close look at.

Cheers